Database Registration and Firewalls
Official Documentation
notification must be able to reach Odoo’s subscription validation servers, ensure your network and firewall settings allow the Odoo server to open outgoing connections towards:
- Odoo 18.0 and above: services.odoo.com on port 80
- Odoo 17.0 and below: services.openerp.com on port 80
These ports must be kept open even after registering a database, as the update notification runs once a week.
Iptables
Sample minimalist iptables rule set
# Allow LAN to access Odoo
iptables -A INPUT -p tcp --dport 8069 -s 192.168.1.0/24 -j ACCEPT
# Allow Odoo to reach services.odoo.com on port 80
iptables -A OUTPUT -p tcp -d services.odoo.com --dport 80 -j ACCEPT
# Allow established traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Default drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
Here is the correct minimal UFW rule that explicitly allows outbound to services.odoo.com:80.
UFW with explicit services.odoo.com rule
Assume the service.odoo.com resolves to something like:
23.45.123.10
23.45.123.11
Add UFW rules for each IP:
ufw allow out to 23.45.123.10 port 80 proto tcp
ufw allow out to 23.45.123.11 port 80 proto tcp
Keep the rest locked down:
ufw default deny incoming
ufw default deny outgoing
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
Fail2ban
Fail2ban helps protect your server from automated attacks by monitoring log files for suspicious activity, such as repeated failed login attempts. When it detects a potential threat, it automatically blocks the offending IP address for a configurable period. This reduces the risk of brute-force attacks, protects sensitive services like SSH and web applications, and enhances overall server security with minimal ongoing maintenance.